|
Name |
|
Date |
Size |
#Lines |
LOC |
| .. | | 03-May-2022 | - |
| m4/ | H | 27-Jan-2016 | - | 11,383 | 10,399 |
| po/ | H | 03-May-2022 | - | 2,625 | 2,326 |
| src/ | H | 03-May-2022 | - | 18,329 | 14,216 |
| tests/ | H | 03-May-2022 | - | 4,744 | 4,061 |
| ABOUT-NLS | H A D | 27-Jan-2016 | 93.1 KiB | 1,328 | 1,280 |
| AUTHORS | H A D | 27-Jan-2016 | 35 | 2 | 1 |
| COPYING | H A D | 27-Jan-2016 | 174 | 4 | 3 |
| COPYING.LIB | H A D | 27-Jan-2016 | 25.9 KiB | | |
| ChangeLog | H A D | 27-Jan-2016 | 73.3 KiB | 1,784 | 1,502 |
| Makefile.am | H A D | 27-Jan-2016 | 1.6 KiB | 56 | 45 |
| Makefile.in | H A D | 27-Jan-2016 | 28.6 KiB | 926 | 824 |
| NEWS | H A D | 27-Jan-2016 | 11 KiB | 195 | 194 |
| README | H A D | 27-Jan-2016 | 8.4 KiB | 172 | 166 |
| README.heimdal-pkinit | H A D | 27-Jan-2016 | 240 | 5 | 4 |
| README.mit-pkinit | H A D | 27-Jan-2016 | 437 | 9 | 8 |
| README.winbind | H A D | 27-Jan-2016 | 2.2 KiB | 53 | 46 |
| TODO | H A D | 27-Jan-2016 | 194 | 7 | 6 |
| aclocal.m4 | H A D | 27-Jan-2016 | 44.4 KiB | 1,235 | 1,124 |
| compile | H A D | 27-Jan-2016 | 7.2 KiB | 348 | 258 |
| config.guess | H A D | 27-Jan-2016 | 41.9 KiB | 1,422 | 1,230 |
| config.h.in | H A D | 27-Jan-2016 | 16 KiB | 518 | 355 |
| config.rpath | H A D | 27-Jan-2016 | 18 KiB | 673 | 569 |
| config.sub | H A D | 27-Jan-2016 | 35.2 KiB | 1,808 | 1,670 |
| configure | H A D | 27-Jan-2016 | 559.4 KiB | 19,110 | 16,016 |
| configure.ac | H A D | 27-Jan-2016 | 25 KiB | 639 | 592 |
| depcomp | H A D | 27-Jan-2016 | 23 KiB | 792 | 502 |
| install-sh | H A D | 27-Jan-2016 | 14.3 KiB | 502 | 327 |
| ltmain.sh | H A D | 27-Jan-2016 | 316.5 KiB | 11,148 | 7,979 |
| missing | H A D | 27-Jan-2016 | 6.7 KiB | 216 | 143 |
| pam_krb5.spec | H A D | 27-Jan-2016 | 31.6 KiB | 808 | 603 |
README
1This is a major rewrite of pam_krb5afs. Call it 2.x, for lack of a better term.
2
3o Compared to the earlier releases, this tree builds a single module which
4 "knows" how to do everything which is knowable at compile-time.
5o Configuration options which can now be set as library defaults in the
6 system-wide krb5.conf are now largely ignored by the module.
7
8Standard options:
9o debug
10 Log debugging messages at LOG_DEBUG priority.
11o debug_sensitive
12 Even log passwords when logging debugging messages at LOG_DEBUG priority.
13o no_warn
14 When authenticating, don't warn the user about an expired password.
15o use_authtok
16 When changing passwords, never prompt for password data. Instead, use
17 data stored by a previously-called module.
18o use_first_pass
19 When authenticating, never prompt for password data. Instead, use a
20 password which was stored by a previously-called module.
21o try_first_pass
22 When authenticating, first try to authenticate using the password which
23 was stored by a previously-called module. If it fails, then prompt for
24 the correct password and try again.
25
26Recognized options (krb5.conf's appdefaults/pam section, and command-line):
27o always_allow_localname
28 Always allow the local user, as derived from the principal name being
29 authenticated, to access the account, even when not explicitly listed in
30 the .k5login file or its equivalent(s).
31o armor
32 Attempt to use a secondary credential cache for armoring exchanges with
33 the KDC.
34o armor_strategy
35 Override how the module attempts to obtain credentials for use as armor.
36 By default, the module supports these methods:
37 keytab Use the default or configured keytab to get a service's TGT.
38 pkinit Use anonymous PKINIT.
39 The default list of methods, and their order, is noted in the manual pages.
40o banner=Kerberos
41 When changing passwords, tell users that they are changing their Kerberos
42 passwords (unset to avoid using any term other than "password").
43o ccache_dir=/tmp
44 Directory in which to store ccache and ticket files.
45o ccname_template=FILE:%d/krb5cc_%U_XXXXXX
46 Location of the user's v5 ccache files. If not configured, the module will
47 attempt to read the library's default.
48o chpw_prompt
49 Allow expired passwords to be changed during authentication attempts. While
50 this is the traditional behavior exhibited by "kinit", it is inconsistent
51 with the behavior expected by PAM, which expects authentication to (appear to)
52 succeed and to have password expiration be flagged by the account management
53 function. Some applications which don't handle password expiration will fail
54 incorrectly if the user's password is correct but expired, and setting this
55 flag attempts to work around the bug.
56o cred_session
57 Control whether or not pam_krb5 will create/remove credential caches when
58 the calling application initializes or deletes PAM credentials. The module
59 will do so when the application opens and closes the PAM session, and this
60 is usually harmless, so it is typically enabled by default.
61o debug
62 debug = service1 service2
63 Log debug messages to syslog with priority LOG_DEBUG.
64o external
65 external = service1 service2
66 Attempt to reuse credentials stored in a ccache pointed to by the KRB5CCNAME
67 variable in the PAM environment. This is mainly useful for situations where
68 the calling application authenticated the user using GSSAPI, the user
69 delegated credentials to the calling application, and you're using pam_krb5
70 to obtain a v4 Kerberos ticket via krb524, or AFS tokens. The calling
71 application MUST ensure that KRB5CCNAME points to a ccache which should be
72 used for the authenticating user. A default list of services can be set at
73 compile-time.
74o ignore_afs
75 Disable the default behavior of attempting to obtain tokens for the local
76 AFS cell on behalf of clients.
77o ignore_k5login
78 Disables additional authorization checks using the krb5_kuserok() function,
79 which typically checks the user's .k5login file.
80o ignore_unknown_principals
81 ignore_unknown_spn
82 ignore_unknown_upn
83 Controls whether or not users with unknown principal names should trigger
84 a PAM_IGNORE error instead of a PAM_USER_UNKNOWN error.
85o initial_prompt
86 Controls whether or not pam_krb5 should ask for the user's password, or let
87 libkrb5 do it as needed.
88o keytab=/etc/krb5.keytab
89 Default keytab to use when validating initial credentials. Can be overridden
90 at configure-time.
91o mappings = regex regex [regex regex...]
92 Specifies that pam_krb5 should derive the user's principal name from the Unix
93 user name by first checking if the user name matches the first regex, and
94 if it matches, formulating a principal name using the second regex. Multiple
95 pairs of regular expressions can be used.
96 For example,
97 mappings = ^EXAMPLE\\(.*)$ $1@EXAMPLE.COM
98 would map any user with a name of the form "EXAMPLE\whatever" to a principal
99 name of "whatever@EXAMPLE.COM". This is primarily targeted at allowing
100 pam_krb5 to be used to authenticate users whose user information is provided
101 by winbindd.
102 Note that this will frequently require the reverse to be configured by
103 setting up an auth_to_local rule elsewhere in krb5.conf.
104o minimum_uid=NUMBER
105 Minimum UID which the user must have before pam_krb5.so will attempt to
106 authenticate that user, otherwise it will ignore the user.
107o multiple_ccaches
108 Specifies that pam_krb5 should maintain multiple credential caches for
109 the application, which sets credentials and opens a PAM session, but
110 sets the KRB5CCNAME variable after doing only one of the two. This
111 option is usually not necessary for most services, but the option is
112 provided as a workaround.
113o no_validate
114 no_validate = service1 service2
115 Don't try to validate initial credentials.
116o no_user_check
117 Go ahead and authenticate users for whom getpwnam() returns no information.
118 Credential cache and ticket files will be created and owned by the current
119 user and group ID instead of the user's.
120o null_afs
121 Attempt to get credentials for AFS by guessing a service name of the form
122 afs@REALM first, and then one of the form afs/cell@REALM, rather than
123 proceeding in the opposite order.
124o pkinit_identity=LOCATION (Heimdal-specific)
125 Specify the location of the user's private key and certificate information,
126 in the same format which would be passed to kinit as an argument for its
127 -C/--pk-user command-line option.
128o pkinit_flags=NUMBER (Heimdal-specific)
129 Specify a flags value to pass to libkrb5, useful mainly for debugging.
130o preauth_options=OPT=VAL[,...] (MIT-specific)
131 Specify arbitrary preauthentication options to pass to libkrb5, useful
132 mainly for debugging.
133o realm=REALM
134 Override the default realm.
135o subsequent_prompt
136 Controls whether or not pam_krb5 should just return the PAM_AUTHTOK when
137 libkrb5 requests that pam_krb5 get information from the user.
138o tokens
139 tokens = service1 service2
140 Create a new AFS PAG and obtain AFS tokens during the authentication phase.
141 By default, tokens are obtained for the local cell (and the cell which
142 contains the user's home directory, if they're not the same).
143o token_strategy
144 Override how the module attempts to get credentials and set AFS tokens.
145 By default, the module supports these methods:
146 2b Get krb5 credentials, and use the "2b" rxkad token format, which
147 is only supported in OpenAFS 1.2.8 and later.
148 rxk5 Get krb5 credentials, and use the rxk5 token format, which may be
149 supported in OpenAFS 1.6 and later.
150 The default list of methods, and their order, is noted in the manual pages.
151o trace
152 trace = service1 service2
153 Log libkrb5 trace messages to syslog with priority LOG_DEBUG, if the
154 Kerberos implementation provides a means to let pam_krb5 do so.
155o use_shmem
156 use_shmem = service1 service2
157 Pass credentials from authentication to session management using shared
158 memory instead of PAM data items. This allows authentication and session-
159 managment to be performed in different processes, so long as the PAM
160 environment is correctly propagated from one to the other. A default list
161 of services can be set at compile-time.
162o validate_user_user
163 validate_user_user = service1 service2
164 If validation fails due to permissions problems, attempt to validate initial
165 credentials using previously-obtained credentials in the default ccache.
166
167Configuration file only:
168o afs_cells = cell1 cell2 cell3 cell4=afs/cell4@EXAMPLE.COM
169
170This module is hosted on fedorahosted.org. For more information, point a
171web browser at "http://fedorahosted.org/pam_krb5/".
172
README.heimdal-pkinit
1In addition to specifying the user's pkinit_identity to pam_krb5, Heimdal
2expects, at minimum, to be configured with the location of the trusted root
3certificates using the "pkinit_anchors" option in the [libdefaults] section
4of krb5.conf.
5
README.mit-pkinit
1MIT Kerberos expects, at minimum, to be configured with the location of the
2trusted root certificates and the user's identity. These options, passed
3through the "preauth_options" option, include:
4 X509_anchors (for example "FILE:/etc/pki/tls/cert.pem")
5 X509_user_identity (for example "PKCS11:/usr/$LIB/libcoolkeypk11.so")
6Their corresponding names in the [libdefaults] section of krb5.conf are:
7 pkinit_anchors
8 pkinit_identities
9
README.winbind
1Winbind makes users who are members of a domain appear to be normal users, with
2the domain name frequently included as a prefix of the user name. Kerberos
3doesn't handle this perfectly.
4
5Specifically, for a user named tester in domain TEST and realm
6TEST.EXAMPLE.COM, we have two names.
7
8Kerberos principal name (userPrincipalName): tester@TEST.EXAMPLE.COM
9Winbind/POSIX user name: TEST\tester
10
11For certain internal functions (such as access control checking using a
12user's .k5login file), the library will need to convert a principal name
13to a user name. This is controlled by the 'auth_to_local_names' and
14'auth_to_local' configuration settings for the default realm in /krb5.conf.
15One such mapping would look like:
16 [libdefaults]
17 default_relam = TEST.EXAMPLE.COM
18 [realms]
19 TEST.EXAMPLE.COM = {
20 auth_to_local = RULE:[1:$0\$1](TEST\.EXAMPLE\.COM\\.*)s/TEST\.EXAMPLE\.COM/TEST/g
21 auth_to_local = DEFAULT
22 }
23
24The argument to RULE: is the concatentation of:
25* An optional input formulation
26 "[" number-of-components ":" template "]"
27 Where number-of-components is the number of instance parts + 1, and the
28 template mixes literal text with portions of the principal name ($1
29 is the root part, $2 is the first instance, $3 the second, etc., $0 the
30 realm in MIT krb5 1.3.4 and later).
31* An optional regex
32 If specified, the formulated string must match this regexp for this rule
33 to be applied.
34* An optional sed expression
35 "s/" matchexp "/" output "/" ["g"]
36
37The DEFAULT rule more or less equates to
38 RULE:[1:$1]
39and must be explicitly listed to benefit from its effects if any RULEs are
40specified.
41
42This solves one problem, but pam_krb5 needs some way to convert a user name
43which is provided by PAM into a principal name, and there is no configurable
44way to do this using the Kerberos libraries. To support this, pam_krb5 has a
45"mappings" configuration directive which can be used to map a user name to a
46principal name. The directive takes pairs of arguments (regexps and output
47specifiers). A specifier can refer to a substring matched in its regexp by
48specifying a "$" and the relative location of the substring in the regexp.
49 [appdefaults]
50 pam = {
51 mappings = ^TEST\\(.*)$ $1@TEST.EXAMPLE.COM
52 }
53